It’s time for a massive paradigm shift in cybersecurity. Cyber attacks are skyrocketing, both in incidence and in impact. The breakneck pace of digital transformation (driven by the pandemic) opened up multiple new risk frontiers. Meanwhile, many IT teams are saddled with what CPOMagazine.com calls a “complex patchwork of cybersecurity tools,” that are often poorly integrated or simply too niche for this new era. Then there’s the unprecedented state of the cyber insurance market, with carriers reeling from severe losses and coverage harder and more expensive than ever to secure.
None of this is sustainable. That’s why we need a seismic shift in how businesses, brokers, carriers and their partners should think about, manage, hedge and insure digital risk. And that’s what the Real Digital Risk Series (RDRS) is all about.
RDRS brings together executives, brokers, carriers and other business leaders to learn about and discuss ways to foster a more resilient, collaborative approach to digital risk and cybersecurity. The first event was held on October 12, 2022 at Insight Enterprises in Phoenix, Arizona and hosted by SecondSight Founder and CEO Reuben Vandeventer.
If you weren’t able to join us, here are four important takeaways you can use to inform your 2023 cybersecurity and budget allocation planning.
Tim Crown, Co-Founder and Chairman of the Board at Insight Enterprises, set the table thusly: “the biggest change in cybersecurity is the fundamental awareness that every single individual in the organization, internally and externally, has to be involved in the conversation.” To put things more directly, Insight’s Vice President and Chief Information Security Officer (CISO) Jason Rader said, “I don’t want 100 people on my security team. I want 12,000 people on my security team.”
This point came directly from CISO Jason Rader — “A Chief Information Security Officer with a technical-only orientation isn’t going to be super effective anymore…The new CISO is a business enabler. I consider that a partnership now where the CISOs get to step out of the dark rooms and into the boardrooms.”
Developments on the SEC front are driving this shift. The new rules proposed in Q2 of 2022 require public-company Boards of Directors to have cybersecurity expertise in the mix, just as Sarbanes-Oxley pushed financial expertise at the board level. This is a good thing. In today’s digital business world, corporate boards can’t steer the ship effectively if they don’t have cybersecurity expertise at the table.
Insight Co-Founder and Chairman Tim Crown said “From a board perspective, this is the thing we’re trying to get our heads around: how much do we spend? (CISO) Jason’s laundry list of things we might want to have is unlimited… How far down that list do we go? I don’t know the answer to that. Ultimately, we’re looking at people like Jason to give us their expert opinion.”
So when IT leaders try to make a case for cybersecurity initiatives in board-level capital allocation meetings, there’s a disconnect. Non-technical leaders usually can’t fully appreciate or budget appropriately for these efforts because IT is talking in a foreign language. The same thing goes for risk-control initiatives aimed at securing and maintaining cyber coverage.
As SecondSight’s Reuben Vandeventer said, “It’s really challenging for an executive to manage real digital risk if they don’t understand or have the ability to see what that risk is in their business. Translating the threat is a major breakdown for cyber executives and insurance teams.”
One initiative that’s on the CISO’s radar, year after year, is the annual cyber insurance renewal. Organizations simply can’t afford to lose cyber coverage or go without. Demonstrating that the company is a good risk is vital to obtaining and renewing coverage at viable terms — and that requires actively managing digital risk year-round, especially maintaining the risk controls required by the major carriers.
Gartner recently forecast that spending on information security and risk management will top $186.3 billion in 2023. Cyber hygiene will never qualify as a capital project (it falls into OPEX). Insurability, however, as a project can be capitalized, with designated resources all year round.
Strategist and cybersecurity thoughtleader Robert Napoli, writing in Forbes, says that “…more companies are considering their information security posture to be a part of their overall business strategy, with associated payoffs and return on investment.” Napoli emphasizes the importance of ensuring capital allocation to “those cyber risks that have the most material financial, business, and operational impact.”
Remediating gaps in cyber risk controls isn’t a last-minute proposition. Rolling out multi-factor authentication across all digital assets, for example, could take an entire year. James Reed, Vice President and Cyber Regional Leader at USI, said his organization encourages clients to prepare early and stay ahead of the renewal cycle. Once carriers spot an important risk control gap on a client’s application, “you’ve kind of muddied the waters already and you might not get a second bite at the apple.” The opportunity to secure favorable terms may be gone — even if the client goes back and fixes the issue.
Clearly, insurability has to be an ongoing project with board-level annual planning and a dedicated capital budget. That calls for senior-level project management and collaboration within the organization, with its broker partner, and with any other partners that touch the digital environment.
Stay tuned for the next Real Digital Risk Series event, coming soon from SecondSight. In the meantime, if you’d like to join the discussion or find out more, contact email@example.com. We look forward to connecting with you!